INFORMATION SECURITY A MULTIDISCIPLINARY. Stig F. Mjolsnes INTRODUCTION TO. Norwegian University ofscience & Technology. CRC Press



Similar documents
Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

HASH CODE BASED SECURITY IN CLOUD COMPUTING

CSE/EE 461 Lecture 23

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

CRIPT - Cryptography and Network Security

Authentication requirement Authentication function MAC Hash function Security of

Wireless Mobile Internet Security. 2nd Edition

Cryptographic Hash Functions Message Authentication Digital Signatures

Lecture 1: Introduction. CS 6903: Modern Cryptography Spring Nitesh Saxena Polytechnic University

National Security Agency Perspective on Key Management

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Lecture 9: Application of Cryptography

CS 356 Lecture 29 Wireless Security. Spring 2013

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Table of Contents. Bibliografische Informationen digitalisiert durch

Computer Security: Principles and Practice

Symm ym e m t e r t ic i c cr c yptogr ypt aphy a Ex: RC4, AES 2

CESG Certification of Cyber Security Training Courses

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Govt. of Karnataka, Department of Technical Education Diploma in Computer Science & Engineering. Sixth Semester

Public Key Cryptography in Practice. c Eli Biham - May 3, Public Key Cryptography in Practice (13)

CRYPTOGRAPHY IN NETWORK SECURITY

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Length extension attack on narrow-pipe SHA-3 candidates

CRYPTOGRAPHY AND NETWORK SECURITY

Human Factors in Information Security

Cryptography and network security CNET4523

Information Security and Cryptography

CPSC 467b: Cryptography and Computer Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

An Introduction to Cryptography as Applied to the Smart Grid

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup

One-Way Encryption and Message Authentication

A Security Flaw in the X.509 Standard Santosh Chokhani CygnaCom Solutions, Inc. Abstract

Chapter 8. Network Security

EXAM questions for the course TTM Information Security May Part 1

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

JTC 1/SC 27Security Techniques - Översikt arbetsgrupper och standarder

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

CS 758: Cryptography / Network Security

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

A Probabilistic Quantum Key Transfer Protocol

Textbooks: Matt Bishop, Introduction to Computer Security, Addison-Wesley, November 5, 2004, ISBN

SubmitedBy: Name Reg No Address. Mirza Kashif Abrar T079 kasmir07 (at) student.hh.se

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Quantum Safe Security Workgroup Presentation. Battelle / ID Quantique / QuantumCTek CSA EMEA Congress, Rome 19 November 2014

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Chapter 7 Transport-Level Security

U.S. Federal Information Processing Standard (FIPS) and Secure File Transfer

Computer Security Literacy

Vulnerabilities in WEP Christopher Hoffman Cryptography

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Overview. SSL Cryptography Overview CHAPTER 1

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

Cryptography and Key Management Basics

Build Your Own Security Lab

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Soran University Faculty of Science and Engineering Computer Science Department Information Security Module Specification

Governance Simplified

CS549: Cryptography and Network Security

Mobile Office Security Requirements for the Mobile Office

SE 4472a / ECE 9064a: Information Security

Introduction to Cryptography

Cryptographic Algorithms and Key Size Issues. Çetin Kaya Koç Oregon State University, Professor

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

WIRELESS PUBLIC KEY INFRASTRUCTURE FOR MOBILE PHONES

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

RESILIENT. SECURE and SOFTWARE. Requirements, Test Cases, and Testing Methods. Mark S. Merkow and Lakshmikanth Raghavan. CRC Press

Weighted Total Mark. Weighted Exam Mark

Hash Function JH and the NIST SHA3 Hash Competition

Chapter 6 Electronic Mail Security

IT Networks & Security CERT Luncheon Series: Cryptography

Cryptographic mechanisms

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Chapter 1: Introduction

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY

Joseph Migga Kizza. A Guide to Computer Network Security. 4) Springer

Analyzing the Security Schemes of Various Cloud Storage Services

CRYPTOG NETWORK SECURITY

An Introduction to Digital Signature Schemes

Cryptography and Network Security: Summary

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Security and Authentication Primer

Single Sign-On Secure Authentication Password Mechanism

Client Server Registration Protocol

CSci 530 Midterm Exam. Fall 2012

VoIP Security. Seminar: Cryptography and Security Michael Muncan

DRAFT Standard Statement Encryption

Transcription:

DISCRETE MATHEMATICS AND ITS APPLICATIONS Series Editor KENNETH H. ROSEN A MULTIDISCIPLINARY INTRODUCTION TO INFORMATION SECURITY Stig F. Mjolsnes Norwegian University ofscience & Technology Trondheim CRC Press Taylor & Francis Group Boca Raton London NewYork CRC Press is an imprint of the Taylor & Francis an Croup, informs business A CHAPMAN & HALL BOOK

Contents 1 Introduction 1 S. F. Mj0lsnes 1.1 Motivation 2 1.2 What Is Information Security? 3 1.3 Some Basic Concepts 4 1.3.1 The Communication Perspective 4 1.3.2 The Shared Computer Perspective 7 1.4 A Synopsis of the Topics 9 1.4.1 The Book Structure 9 1.4.2 Security Electronics 9 1.4.3 Public Key Cryptography 10 1.4.4 Hash Functions 10 1.4.5 Quantum Cryptography 11 1.4.6 Cryptographic Protocols 11 1.4.7 Public Key Infrastructure 11 1.4.8 Wireless Network Access 12 1.4.9 Mobile Security 12 1.4.10 Software Security 13 1.4.11 ICT Security Evaluation 14 1.4.12 ICT and Forensic Science 14 1.4.13 Risk Assessment 15 1.4.14 The Human Factor 16 1.5 Further Reading and Web Sites 17 Bibliography 17 2 Security Electronics 19 E. J. Aas and P. G. Kjeldsberg 2.1 Introduction 20 2.2 Examples of Security Electronics 22 2.2.1 RSA as Hardwired Electronics 22 2.2.2 AES as Hardwired Electronics 26 2.2.3 Examples of Commercial Applications 31 2.3 Side Channel Attacks 32 2.4 Summary 32 2.5 Further Reading and Web Sites 33 Bibliography 33 xix

XX 3 Public Key Cryptography 37 S. 0. Smal0 3.1 Introduction 38 3.2 Hash Functions and One Time Pads 39 3.3 Public Key Cryptography 44 3.4 RSA-Public Key Cryptography 44 3.5 RSA-Public-Key-Cryptography with Signature 45 3.6 Problem with Signatures 46 3.7 Receipt 47 3.8 Secret Sharing Based on Discrete Logarithm Problems 47 3.9 Further Reading 47 Bibliography 4 Cryptographic Hash Functions 49 D. Gligoroski 4.1 Introduction 50 4.2 Definition of Cryptographic Hash Function 53 4.3 Iterated Hash Functions 56 4.3.1 Strengthened Merkle-Damgaxd Iterated Design 56 4.3.2 Hash Functions Based on Block Ciphers 56 4.3.3 Generic Weaknesses of the Merkle-Damgard Design 58 4.3.4 Wide Pipe (Double Pipe) Constructions 61 4.3.5 HAIFA Construction 61 4.3.6 Sponge Functions Constructions 62 4.4 Most Popular Cryptographic Hash Functions 63 4.4.1 MD5 63 4.4.2 SHA-1 64 4.4.3 SHA-2 64 4.4.4 NIST SHA-3 Hash Competition 66 4.5 Application of Cryptographic Hash Functions 66 4.5.1 Digital Signatures 66 4.5.2 Other Applications 68 4.6 Further Reading and Web Sites 69 Bibliography 5 Quantum Cryptography D. R. Hjelme, L. Lydersen, and V. Makarov 5.1 Introduction 74 5.2 Quantum Bit 76 5.3 Quantum Copying 78 5.4 Quantum Key Distribution 78 5.4.1 The BB84 Protocol 79 5.4.2 The BB84 Protocol Using Polarized Light 79 5.5 Practical Quantum Cryptography 81 5.5.1 Loss of Photons 81 5.5.2 Error Correction and Privacy Amplification 81 5.5.3 Security Proofs 82 5.5.4 Authentication 82 5.6 Technology 48 69 73 84

xxi 5.6.1 Single Photon Sources 84 5.6.2 Single Photon Detectors 85 5.6.3 Quantum Channel 86 5.6.4 Random Number Generator 86 5.7 Applications 87 5.7.1 Commercial Application of Quantum Cryptography 87 5.7.2 Commercial Systems with Dual Key Agreement 87 5.7.3 Quantum Key Distribution Networks 88 5.8 Summary 90 5.9 Further Reading and Web Sites 90 Bibliography 90 6 Cryptographic Protocols S. F. Mj0lsnes 93 6.1 The Origins 94 6.2 Information Policies 96 6.3 Some Concepts 97 6.3.1 Primitives and Protocols 97 6.3.2 Definitions 98 6.3.3 The Protocol as a Language 99 6.3.4 Provability 102 6.3.5 Modeling the Adversary 103 6.3.6 The Problem of Protocol Composition 103 6.4 Protocol Failures 104 6.4.1 Reasons for Failure 104 6.4.2 An Example of Protocol Failure 105 6.5 Heuristics 106 6.5.1 Simmons' Principles 106 6.5.2 Separation of Concerns 107 6.5.3 More Prudent Engineering Advice 109 6.6 Tools for Automated Security Analysis 110 6.7 Further Reading and Web Sites Ill Bibliography 112 7 Public Key Distribution 115 S. F. Mj0lsnes 7.1 The Public Key Distribution Problem 116 7.2 Authenticity and Validity of Public Keys 118 7.3 The Notion of Public Key Certificates 119 7.3.1 Certificates 119 7.3.2 Public Key Certificates 119 7.3.3 Certificate Data Structures 121 7.3.4 Chain of Certificates 122 7.4 Revocation 124 7.4.1 The Problem of Revocation 124 7.4.2 The CRL Data Structure 124 7.5 Public Key Infrastructure 125 7.6 Identity-Based Public Key 126 7.7 Further Reading and Web Sites 128

xxii Bibliography 129 8 Wireless Network Access 131 S. F. Mj0lsnes and M. Eian 8.1 Introduction 132 8.2 Wireless Local Area Networks 135 8.2.1 The Standard 135 8.2.2 The Structure 135 8.2.3 Message Types 136 8.3 The 802.11 Security Mechanisms 137 8.4 Wired Equivalent Privacy 137 8.4.1 RSN with TKIP 139 8.5 RSN with CCMP 140 8.5.1 Security Services 140 8.5.2 Authentication 140 8.5.3 Data Confidentiality 141 8.5.4 Key Management 142 8.5.5 Data Origin Authenticity 142 8.5.6 Replay Detection 143 8.5.7 Summary of Security Services 143 8.6 Assumptions and Vulnerabilities 143 8.7 Summary 145 8.8 Further Reading and Web Sites 146 Bibliography 146 9 Mobile Security 149 J. A. Audestad 9.1 GSM Security 150 9.2 3G Architecture 152 9.3 Extent of Protection 155.9.4 Security Functions in the Authentication Center 157 9.4.1 3G 157 9.4.2 GSM 159 9.5 Security Functions in the SGSN/RNC 159 9.6 Security Functions in the Mobile Terminal (USIM) 159 9.7 Encryption and Integrity 160 9.7.1 Encryption in GSM (A5/1) 160 9.7.2 Encryption in 3G 164 9.7.2.1 Method 164 9.7.2.2 Keystream Generation Algorithm 166 9.7.2.3 Initialization of the Keystream Generator 166 9.7.2.4 Production of the Keystream 166 9.7.3 Integrity in 3G 167 9.8 Anonymity 169 9.9 Example: Anonymous Roaming in a Mobile Network 171 9.9.1 Procedure 171 9.9.2 Information Stored 174 9.9.3 Prevention of Intrusion 175 9.9.3.1 The Mobile Terminal Is an Impostor 175

Testing More xxiii 9.10 Using GSM/3G 9.9.3.2 Both the Mobile Terminal and the Home Network Are Impostors 175 9.9.3.3 The Foreign Network Is an Impostor 175 Terminals as Authentication Devices 175 9.10.1 Architecture 175 9.10.2 One Time Password 177 9.10.3 The Extensible Authentication Protocol (EAP) 177 9.11 Further Reading 180 Bibliography 181 10 A Lightweight Approach to Secure Software Engineering 183 M. G. Jaatun, J, Jensen, P. H. Meland and I, A. T0ndel 10.1 Introduction 185 10.2 Assets 186 10.2.1 Asset Identification 186 10.2.2 Asset Identification in Practice 187 10.2.2.1 Key Contributors 187 10.2.2.2 Step 1: Brainstorming 187 10.2.2.3 Step 2: Assets from Existing Documentation... 189 10.2.2.4 Step 3: Categorization and Prioritization 189 10.2.3 Example 191 10.3 Security Requirements 193 10.3.1 Description 193 10.3.2 Security Objectives 195 10.3.3 Asset Identification 196 10.3.4 Threat Analysis and Modeling 196 10.3.5 Documentation of Security Requirements 197 10.3.6 Variants Based on Specific Software Methodologies 197 10.3.7 LyeFish Example Continued 197 10.4 Secure Software Design 198 10.4.1 Security Architecture 199 10.4.2 Security Design Guidelines 199 10.4.2.1 Security Design Principles 199 10.4.2.2 Security Patterns 200 10.4.3 Threat Modeling and Security Design Review 203 10.4.4 - Putting It into Practice LyeFish 203 10.4.4.1 Applying Security Design Principles 203 10.4.4.2 Making Use of Security Design Patterns 205 10.4.4.3 Make Use of Tools for Threat Modeling 205 10.4.4.4 Performing Security Review 206 10.5 Testing for Software Security 206 10.5.1 Background 206 10.5.2 The Software Security Testing Cycle 208 10.5.3 Risk-Based Security Testing 209 10.5.4 Managing Vulnerabilities in SODA 210 10.5.5 - Example LyeFish 213 10.6 Summary 213 10.7 Further Reading and Web Sites 214 Bibliography 214

xxiv 11 ICT Security Evaluation 217 S. J. Knapskog 11.1 Introduction 218 11.2 ISO/IEC 15408, Part 1/3 Evaluation Criteria for IT Security (CC) 219 11.2.1 The Development of the Standard 219 11.2.2 Evaluation Model 221 11.2.3 Security Requirements 221 11.3 Definition of Assurance 222 11.4 Building Confidence in the Evaluation Process 223 11.5 Organizing the Requirements in the CC 224 11.6 Assurance Elements 224 11.7 Functional Classes 225 11.8 Protection Profiles (PPs) 228 11.9 Protection Profile Registries 230 11.10 Definition of a Security Target (ST) 230 11.11 Evaluation of a Security Target (ST) 233 11.12 Evaluation Schemes 236 11.13 Evaluation Methodology 237 11.14 Summary 239 11.15 Further Reading and Web Sites 239 Bibliography 240 12 ICT and Forensic Science 243 S. F. Mj0lsnes and S. Y. Willassen 12.1 The Crime Scene 244 12.2 Forensic Science and ICT 246 12.3 Evidence 247 12.3.1 Judicial Evidence 247 12.3.2 Digital Evidence 248 12.3.3 Evidential Reasoning 249 12.3.4 Lack of Evidence 251 12.4 The Digital Investigation Process 251 12.5 Digital Evidence Extraction 254 12.5.1 Sources of Digital Evidence 254 12.5.2 Extraction 254 12.6 Digital Evidence Analysis Techniques 255 12.7 Anti-Forensics 256 12.8 Further Reading and Web Sites 258 Bibliography 258 13 Risk Assessment 261 S. Haugen 13.1 Risk Assessment in the Risk Management Process 262 13.2 Terminology 264 13.2.1 Risk 264 13.2.2 Vulnerability 265 13.2.3 Hazards, Threats, Sources, and Events 265 13.2.4 Risk Analysis, Risk Evaluation, and Risk Assessment... 266 13.3 Main Elements of the Risk Assessment Process 267

XXV... 282.. 13.3.1 Establish Context 268 13.3.2 Describe System, Controls, and Vulnerabilities 270 13.3.3 Identify Assets 272 13.3.4 Identify Threats 273 13.3.5 Identify Events and Causes and Estimate Likelihood 274 13.3.6 Identify and Estimate Consequences 274 13.3.7 Estimate Risk Level 275 13.3.8 Risk Evaluation 276 13.3.9 Risk Treatment 276 13.4 Summary 277 13.5 Further Reading and Web Sites 278 Bibliography 279 14 Information Security Management From Regulations to End Users 281 E. Albrechtsen and J. Hovden 14.1 A Risk Governance Framework Applied to Information Security 14.2 Regulations and Control 288 14.3 Information Security Management 292 14.3.1 Formal and Informal 292 14.3.2 Formal Approaches to Information Security Management.. 295 14.3.3 Informal Aspects of Information Security Management... 299 14.3.4 Information Security Culture 307 14.4 Further Reading and Web Sites 310 Bibliography 311 Index 315

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information